Apple patches vulnerabilities used by NSO Group, but the battle isn’t over.

Yesterday, Apple released a series of urgent software updates to its iPhone, iPad, Apple Watch, and Mac products. All of these updates have one major thing in common: CVE-2021-30860.

CVE numbers are assigned by the Mitre Corporation to track vulnerabilities in software and how serious they are, allowing us to track security issues and for vendors to note which they’ve addressed in software updates. The CVE website hasn’t been updated with details on CVE-2021-30860 as of this writing, but it’s a result of the work of The Citizen Lab at the University of Toronto. Citizen Lab is cited in all of Apple’s notes on the September 13 software updates.

Citizen Lab itself has written a description of the security issue, called FORCEDENTRY. According to Citizen Lab, the problem impacts “All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2.” That’s a very significant number of devices out in the wild, and you should go update your devices right now.

• macOS: Go to the Apple menu, choose About This Mac, then click the Software Update button
• iPhone/iPad: Go to the Settings app, tap General, tap Software Update
• Apple Watch: The Apple Watch should update after your iPhone updates. It’s a little wild that our watches get software updates now, isn’t it? Used to be that we’d just have to change the battery every so often.

If you see an update called Safari 14.1.2 or Security Update 2021-005 Catalina, those are also fixes for this issue and you should install them.

Citizen Lab found FORCEDENTRY while inspecting the phone of a Saudi Arabian activist who had been infected with the NSO Group’s Pegasus software. Pegasus made the news again about a month ago when a list of potentially targeted phone numbers was made public.

Pegasus is a suite of tools sold by the Israeli company NSO Group to attack and infiltrate phones without the target ever knowing. Sometimes the person being attacked has to click a link in a text message to open a webpage that will use a vulnerability that lets Pegasus take over their phone. In other situations, the attack doesn’t even require the victim to do anything. With FORCEDENTRY, the attacker can send specially-crafted PDF files that took advantage of a flaw in a piece of Apple software called IMTranscoderAgent, crashing the service and through various methods installing malware on the phone. These attacks that don’t require any intervention on the part of the target are called 0-click attacks and are very dangerous because you don’t know you’ve been hit.

You should still be concerned about the NSO Group

Even if you’re not an activist, organizer, human rights worker or journalist, you should still be concerned about these sorts of attacks. NSO employs hundreds of people with the technical skills to not only find these security issues but to craft these malicious ways to take advantage of them.

But this is not unique to NSO. Researchers, government agencies, companies and others with either good or bad intentions are also looking for these types of vulnerabilities. In the best case, they follow responsible disclosure: Not telling the world about it but notifying the vendor and giving them time to release an update, then sharing their research. In other cases, a 0-day is released, called that because companies have 0 days to prepare a software update. In yet other situations, companies like the NSO Group and agencies like the NSA hold the vulnerabilities close, never letting anyone know about them so they can take advantage themselves.

As I wrote for Liberation News in 2017,

Security bugs in computer software are nothing new. When a software maker learns of or discovers a security hole, they usually work quickly to fix it and release a software patch to customers so that they aren’t vulnerable. An entire industry of security researchers sometimes known as “white-hat hackers” practices responsible disclosure, giving the companies a reasonable amount of time to fix the security problems before publicly announcing them.

The NSA also looks for security vulnerabilities to exploit in software so it can further its surveillance and intelligence collection, but does not notify vendors of the issues it finds: Fixing those issues would cause the NSA to lose access to its targets. Microsoft released a fix for the EternalBlue exploit used in WannaCry and NotPetya a month before the ShadowBrokers release, but many computers remain vulnerable because they haven’t been fixed.

NotPetya ransomware a result of NSA mass surveillance on Liberation News

Nothing is stopping a group outside of NSO from finding and exploiting these same vulnerabilities in a different way to install spyware or ransomware on your device, even if you’re not considered a targeted person.

Responsible disclosure is part of the solution

In July 2021, the Chinese government outlined new rules for software makers and security researchers. According to a translation by The Record, the new rules make it illegal to “collect, sell, or publish information on network product security vulnerabilities”; require that organizations keep logs of vulnerability reports for 6 months and share vulnerability reports with the Ministry of Industry and Information Technology within 2 days; prohibits irresponsible methods of disclosure including those that would lead to 0-days, and more.

While disagreements exist on the effectiveness of these new rules, the idea that corporations, researchers and individuals must act responsibly and respectfully is a key part of the solution. Regulation of the spyware and 0-day markets that also respects the work of security researchers and does not hinder legitimate research is another.